SC Magazine in the UK picked up on our Global Threat Report for June, based on statistics that derive from our ThreatSense.Net® threat-monitoring technology. Thanks, Dan: when you do as much writing as I do, it’s comforting to know that someone is reading it. ;-)
I thought, though, I’d develop some thoughts on a topic arising from that article.
SC Magazine tends to use the term “claimed” a lot. Which is fair enough: I don’t take the truth of anything this or any other software industry tells me for granted, and I don’t think anyone else should. And it’s perfectly true that while the fact that ThreatSense.Net® reports an awful lot of Conficker-related detections is statistical fact (but I’ll come back to that in a second), I did say that I “guessed” that this was partly because “users still are not taking basic steps such as timely patching and disabling Autorun to protect their computers and themselves from cyber attack.” (Actually, I could have added something about using and properly maintaining anti-malware products there, but it’s pretty obvious that an absence of antivirus protection is a factor.)
However, the SC report also mentions a comparison I made between Conficker and some elderly mass mailers that are still circulating. “The report also claimed that massmailers such as Netsky, Mydoom and Bagle are still lingering despite patches being released.” Putting it this way actually gives the impression that these little beauties are still in circulating because people don’t patch, and in some cases (and with some variants) this is indeed a factor.
However, what I actually said is that “Conficker is not the only malware to hang around long after a patch has been released; massmailers such as Netsky, Mydoom and Bagle still linger on, although in much smaller numbers, years after patches and antivirus definitions have been released. However, Conficker, being less reliant on direct social engineering, should really be declining in impact by now after all the publicity it’s received.”
That’s an important distinction. Good patching practice is important, and the three practices mentioned (patching, disabling autorun, and securing network shares) provide a lot of protection against Conficker. But most malware uses social engineering as well as or instead of exploiting vulnerabilities. Unfortunately, the “gullibility gene” in computer users is not only the most successfully exploited “vulnerability” around, it’s the hardest to patch. Which is, of course, one of the arguments for continuing to use malware detection products in a multi-layered strategy that also includes generic and precautionary measures such as patching.
But I said I’d come back to statistical accuracy. Well, our “claims” in this months report are based on two statistical resources. ThreatSense.Net® monitors threat trends using a facility built into our products: when an ESET-protected machine detects malware, it calls home to tell us about it. Of course, that mechanism is both anonymised and optional. However, that means that it can’t be totally accurate. For instance, it’s difficult to compensate for an instance where two or more machines are detecting malware from the same source: however, it’s reasonable to assume most of the time that where we see a spike, it indicates a general trend, and that’s what we’re looking for, not exact but spurious figures. In any case, it’s already a self-selective mechanism, since it polls only machines protected by ESET products.
The other resource is a monitoring mechanism called Virus Radar, which only picks up email-borne threats (executables rather than links). We don’t talk about that much nowadays, because that’s a vector that isn’t much used nowadays by new malware, and to make a big deal out of what we still pick up that way would give a false impression of the current threatscape as we see it. Even then, though, that “as we see it” is important. Different products generate different figures according to who buys the product and where it sits. Like Virus Radar, products that sit on mail gateways will still see a lot of massmailer activity, which is probably why Netsky, for instance, is still prominent in Virus Bulletin’s prevalence report. This is less a case of proving anything you want with statistics (though you probably can….) than of the importance of correctly interpreting statistics.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, We Live Security